From fad1bf51412d08408ca4a1bbb2a77d460f987750 Mon Sep 17 00:00:00 2001 From: Luke Tomlinson Date: Wed, 5 May 2021 16:32:13 -0400 Subject: [PATCH] Strip INPUT_* env variables from subprocesses --- packages/exec/__tests__/exec.test.ts | 9 +++++++++ packages/exec/src/interfaces.ts | 2 +- packages/exec/src/toolrunner.ts | 12 +++++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/packages/exec/__tests__/exec.test.ts b/packages/exec/__tests__/exec.test.ts index f4dfab0f..3c5ba817 100644 --- a/packages/exec/__tests__/exec.test.ts +++ b/packages/exec/__tests__/exec.test.ts @@ -1,4 +1,5 @@ import * as exec from '../src/exec' +import * as tr from '../src/toolrunner' import * as im from '../src/interfaces' import * as childProcess from 'child_process' @@ -620,6 +621,14 @@ describe('@actions/exec', () => { expect(output.trim()).toBe(`args[0]: "hello"${os.EOL}args[1]: "world"`) }) + it('tool runner strips INPUT_ params from environment for child process', () => { + const env = {INPUT_TEST: 'input value', SOME_OTHER_ENV: 'some other value'} + const sanitizedEnv = tr.stripInputEnvironmentVariables(env) + + expect(sanitizedEnv).not.toHaveProperty('INPUT_TEST') + expect(sanitizedEnv).toHaveProperty('SOME_OTHER_ENV') + }) + if (IS_WINDOWS) { it('Exec roots relative tool path using process.cwd (Windows path separator)', async () => { let exitCode: number diff --git a/packages/exec/src/interfaces.ts b/packages/exec/src/interfaces.ts index 436fc0ac..0bef2f69 100644 --- a/packages/exec/src/interfaces.ts +++ b/packages/exec/src/interfaces.ts @@ -6,7 +6,7 @@ export interface ExecOptions { /** optional working directory. defaults to current */ cwd?: string - /** optional envvar dictionary. defaults to current process's env */ + /** optional envvar dictionary. defaults to current process's env with `INPUT_*` variables removed */ env?: {[key: string]: string} /** optional. defaults to false */ diff --git a/packages/exec/src/toolrunner.ts b/packages/exec/src/toolrunner.ts index 6b73d608..fb4acf5a 100644 --- a/packages/exec/src/toolrunner.ts +++ b/packages/exec/src/toolrunner.ts @@ -377,7 +377,7 @@ export class ToolRunner extends events.EventEmitter { options = options || {} const result = {} result.cwd = options.cwd - result.env = options.env + result.env = options.env || stripInputEnvironmentVariables(process.env) result['windowsVerbatimArguments'] = options.windowsVerbatimArguments || this._isCmdFile() if (options.windowsVerbatimArguments) { @@ -600,6 +600,16 @@ export function argStringToArray(argString: string): string[] { return args } +// Strips INPUT_ environment variables to prevent them leaking to child processes +export function stripInputEnvironmentVariables(env: NodeJS.ProcessEnv): NodeJS.ProcessEnv { + return Object.entries(env).filter(([key, value]) => { + return !key.startsWith('INPUT_') + }).reduce((obj: NodeJS.ProcessEnv, [key, value]) => { + obj[key] = value + return obj + }, {}) +} + class ExecState extends events.EventEmitter { constructor(options: im.ExecOptions, toolPath: string) { super()